diff --git a/keyserver/package.json b/keyserver/package.json --- a/keyserver/package.json +++ b/keyserver/package.json @@ -46,6 +46,7 @@ "@parse/node-apn": "^3.2.0", "@vingle/bmp-js": "^0.2.5", "JSONStream": "^1.3.5", + "bad-words": "^3.0.4", "common-tags": "^1.7.2", "cookie-parser": "^1.4.3", "dateformat": "^3.0.3", diff --git a/keyserver/src/creators/invite-link-creator.js b/keyserver/src/creators/invite-link-creator.js --- a/keyserver/src/creators/invite-link-creator.js +++ b/keyserver/src/creators/invite-link-creator.js @@ -1,5 +1,7 @@ // @flow +import Filter from 'bad-words'; + import type { CreateOrUpdatePublicLinkRequest, InviteLink, @@ -19,6 +21,7 @@ import { Viewer } from '../session/viewer.js'; const secretRegex = /^[a-zA-Z0-9]+$/; +const badWordsFilter = new Filter(); async function createOrUpdatePublicLink( viewer: Viewer, @@ -27,6 +30,9 @@ if (!secretRegex.test(request.name)) { throw new ServerError('invalid_characters'); } + if (badWordsFilter.isProfane(request.name)) { + throw new ServerError('offensive_words'); + } const permissionPromise = checkThreadPermission( viewer, diff --git a/yarn.lock b/yarn.lock --- a/yarn.lock +++ b/yarn.lock @@ -7617,6 +7617,18 @@ babel-plugin-jest-hoist "^26.6.2" babel-preset-current-node-syntax "^1.0.0" +bad-words@^3.0.4: + version "3.0.4" + resolved "https://registry.yarnpkg.com/bad-words/-/bad-words-3.0.4.tgz#044c83935c4c363a905d47b5e0179f7241fecaec" + integrity sha512-v/Q9uRPH4+yzDVLL4vR1+S9KoFgOEUl5s4axd6NIAq8SV2mradgi4E8lma/Y0cw1ltVdvyegCQQKffCPRCp8fg== + dependencies: + badwords-list "^1.0.0" + +badwords-list@^1.0.0: + version "1.0.0" + resolved "https://registry.yarnpkg.com/badwords-list/-/badwords-list-1.0.0.tgz#5e9856dbf13482a295c3b0b304afb9d4cfc5c579" + integrity sha512-oWhaSG67e+HQj3OGHQt2ucP+vAPm1wTbdp2aDHeuh4xlGXBdWwzZ//pfu6swf5gZ8iX0b7JgmSo8BhgybbqszA== + balanced-match@^1.0.0: version "1.0.0" resolved "https://registry.yarnpkg.com/balanced-match/-/balanced-match-1.0.0.tgz#89b4d199ab2bee49de164ea02b89ce462d71b767"